This is the mail archive of the cygwin@sources.redhat.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: inetd security hole?


Bob Heckel wrote:
> 
> I just set up inetd-1.3.2-5p1 as a service on my W2K box.  My
> thanks to the Cygwin team.  Great job on this piece.  There
> may, however, be a security hole for some people.  I was
> able to FTP from a remote Unix box to my Cygwin W2K box
> simply by using user guest and password (enter).  Had to
> delete the Guest entry from /etc/passwd to close the hole.
> 
> I may not be configured properly and your system may be
> different but I wanted to make sure no one is accidently
> exposed to trouble.  I checked the mailing list search
> engine prior to posting this and didn't see any warnings regarding this
> issue.
> 
> Bob Heckel
> 

This sounds like part of the NT heritage.  On an NT system the user
name "guest" (null password) is normally enabled - might even be
immutable.  Guest, however, should have minimum or no access. 
Making that a true statement is an administrator's job.  

-- 
David A. Cobb, Software Engineer, Public Access Advocate
"Don't buy or use crappy software"
"By the grace of God I am a Christian man, 
 by my actions a great sinner" -- The Way of a Pilgrim [R. M.
French, tr.]

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe@sourceware.cygnus.com


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]